Automated tools can only go so far in detecting complex security issues. Our seasoned security experts conduct meticulous manual secure-code reviews using some automated tools to help focus the review, diving deep into the source code to find intricate vulnerabilities that automated code scans miss. With a keen eye for detail and extensive experience, we tease out the code that has the most important security implications for your application and then scrutinize it for potential risks. Code level remediation advice follows, which provides developers solutions in perhaps their most useful form.
To understand Redpoint Security’s process for conducting Secure-Code Review, it’s worth emphasizing that our founder Seth Law, in concert with Ken Johnson, developed The Absolute AppSec methodology for Secure Code Review, one of the most popular frameworks for conducting Secure-Code Review for modern applications. The methodology Seth and Ken developed focuses on helping AppSec testers conducting code reviews to have a set of principles and frameworks for approaching a new codebase, orienting themselves in the code regardless of level of familiarity regarding the languages and technologies involved, and developing a gameplay for analyzing the codebase for bugs.
The first incarnation of the Absolute AppSec secure-code review methodology and the course Seth and Ken have taught about the approach used Bill & Ted’s excellent adventure as a sort of extended motif for getting good at code-review.1 From that auspicious beginning, they developed the methodology as well as the Circle-K framework for ensuring that code reviews build out enhanced review checklists derived from the specific knowledge gained from poring over the application codebase.
This Absolute AppSec methodology for Secure-Code Review and its Circle-K framework informs how Redpoint Security approaches Secure-Code Review engagements. Testers have a repeatable step-by-step guide to performing reviews, and a feedback loop that makes the review smarter as the testers learn more about your codebase and application. As a result of our Secure-Code Review process, the experience Redpoint testers bring to code review projects is second to none. We use that expertise to provide you and your developer team reports full of actionable remediation advice where we point to specific lines of code for fixes. There’s a reason why we say we do code security by coders. If you’re curious to learn more about how a Redpoint Security SCR could help your application improve and how you can better protect your assets and customers’ data, please complete the form below.
- The Absolute AppSec course in practical secure-code review has been taught on five continents and has repeatedly been offered as part of BlackHat, DEF CON training in Vegas, for various AppSec Days, and security conferences around the globe. The course’s alumni include some of the most successful and influential members of the infosec community. If your interested in learning more about the course (offered as well for individual organizations), look for more information on our trainings page ↩︎